MonitorWare Knowledge Base

by **drmikecrowe** » Fri Oct 17, 2008 2:12 pm

OK, I finally got the remote TLS working with 3.9.12. FYI, Ubuntu users have these issues:

certtool is not available on ubuntu distros -- had to figure out how to use CA.pl to generate
The stock ubuntu distro has a version number of 1.19.12
The stock ubuntu distro does not include tls support, so I had to remove and compile manually to use that

Now for the strangeness: If I start both client and server up with "-d -c3", they both communicate and the logs get dumped into my phplogcon MySQL db from the remote host. However, if I now start normally (and I'm using a hacked init.d script that just calls rsyslogd with -c3 as the param), I *maybe* get 1 message from the remote host as follows:

[origin software="rsyslogd" swVersion="3.19.12" x-pid="4703" x-info="http://www.rsyslog.com [More Information] "] restart

Otherwise, nothing. If I do a "logger Test", nothing gets to the client syslog (are items echo'd there and remotely?), and nothing goes to the remote client.

If I start the server in -d mode, I get all the debugging when I do the client in -d mode, but nothing when I start rsyslogd normally.

Am I missing something basic here?
TIA
Mike

Learn more about rsyslog professional services.

Custom written rsyslog.conf?
Maintenance Contract?
Installation support?

by **rgerhards** » Fri Oct 17, 2008 3:25 pm

The strangeness sounds like some of the modules are either not installed or are installed into the wrong directories (the later is something that I frequently see on Fedora). Please check if make install puts things into the correct places (which are distro-specific, so I unfortunately do not know which these are...).

Rainer

by **drmikecrowe** » Fri Oct 17, 2008 10:10 pm

Well, I use the vanilla options when I compile (./configure --enable-gnutls and --enable-mysql on the server). The config options on the server are:

Code: Select all: $ModLoad imuxsock $DefaultNetstreamDriver gtls $DefaultNetstreamDriverCAFile /etc/ssl/cacert.pem $DefaultNetstreamDriverCertFile /etc/ssl/signedcert.pem $DefaultNetstreamDriverKeyFile /etc/ssl/newkey.pem $ModLoad /usr/local/lib/rsyslog/imtcp.so $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode $InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated $InputTCPServerRun 10514 # start up listener at port 10514 $ModLoad MySQL *.* >localhost,Syslog,rsyslog,xxxxxxx

On the client, I just have:

Code: Select all: $DefaultNetstreamDriverCAFile /etc/ssl/cacert.pem $DefaultNetstreamDriver gtls # use gtls netstream driver $ActionSendStreamDriverMode 1 # require TLS for the connection $ActionSendStreamDriverAuthMode anon # server is NOT authenticated *.* @@(o)1.2.3.4:10514 # send (all) messages

If it were just the modules, why would the rsyslogd -d work and not the init.d?

by **drmikecrowe** » Fri Oct 17, 2008 10:18 pm

OK, did a little more digging. If I remove -c3 from the init.d script, I get:

2008-10-17T21:18:02.604586+00:00 kaylee rsyslogd: WARNING: rsyslogd is running in compatibility mode. Automatically generated config directives may interfer with your rsyslog.conf settings. We suggest upgrading your config and adding -c3 as the first rsyslogd option.
2008-10-17T21:18:02.604589+00:00 kaylee rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: ModLoad immark
2008-10-17T21:18:02.604592+00:00 kaylee rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: MarkMessagePeriod 1200
2008-10-17T21:18:02.604595+00:00 kaylee rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: ModLoad imuxsock
2008-10-17T21:20:56.114535+00:00 kaylee rsyslogd: [origin software="rsyslogd" swVersion="3.19.12" x-pid="2367" x-info="http://www.rsyslog.com"] restart

My main rsyslogd.conf is:

Code: Select all: auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log user.* -/var/log/user.log mail.info -/var/log/mail.info mail.warn -/var/log/mail.warn mail.err /var/log/mail.err news.crit /var/log/news/news.crit news.err /var/log/news/news.err news.notice -/var/log/news/news.notice *.=debug;\ auth,authpriv.none;\ news.none;mail.none -/var/log/debug *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages *.emerg * daemon.*;mail.*;\ news.err;\ *.=debug;*.=info;\ *.=notice;*.=warn |/dev/xconsole $IncludeConfig /etc/rsyslog.d/

which is Ubuntu's default.

Where are those weird defaults coming from for things like ModLoad immark?

by **drmikecrowe** » Fri Oct 17, 2008 10:21 pm

oh yeah: If I omit "-c3", "logger Test" pumps "Test" through to phpLogCon, so there's something weird in my config (not the TLS settings)

by **rgerhards** » Tue Oct 21, 2008 3:45 pm

I just found out that on Ubuntu (probably also on Debian), the startup scripts checks if a file /etc/default/rsyslog exists. If it does, the settings from there override what is defined in the startup script itself. This, for me, was the source why rsyslogd did not start up with -r.

HTH
Rainer

MonitorWare Knowledge Base

Remote TLS logging, I think

Remote TLS logging, I think

Professional Services Information

Learn more about rsyslog professional services.

Re: Remote TLS logging, I think

Re: Remote TLS logging, I think

Re: Remote TLS logging, I think

Re: Remote TLS logging, I think

Re: Remote TLS logging, I think

Google Ads

Who is online